Security is hard. Like, really hard.
But it’s not impossible.
That will come as a shock to precisely no people, but it’s important to remember because there’s no shortage of researchers, vendors, and others in the security industry telling you every day that software and hardware and everything in between is hopelessly broken and we should all assume that we’re owned and compromised every which way from Sunday.
That’s a nice marketing message, and it probably sells a lot of threat intelligence feeds, but it doesn’t help anyone fix things. There’s a healthy level of cynicism and doubt that’s inherent in the security world, and those can be valuable qualities in some ways. But it can also evolve into a kind of defeatist attitude that gets in the way of actual security work.
It’s easy to get buried in the avalanche of APTs, data breaches, privacy disasters, and all of the other bad news that permeates the industry, but there’s plenty of evidence that things aren’t necessarily as bad as we think they are. For confirmation, you need look no further than the Cryptographers’ Panel at this week’s RSA Conference. Moxie Marlinspike, one of the smarter and more thoughtful security researchers working right now, said during the panel that he’s cautiously optimistic about the future of security. Or at least some of it.
“Usually I’d be trying to cement my position as the most cynical person on this panel, but in some ways we may be winning the future of communications and mass surveillance,” he said. “It looks to me like the future of mass surveillance is overlay on existing services like Facebook Messenger and those are using encryption. There is some hope, I think.”
Marlinspike was not alone in that sentiment. Whit Diffie, who helped invent public key cryptography and is so far past the status of legend at this point that there’s not really a good label to put on him, also was upbeat about the work that can be done to fix the many things that need fixing.
“We have accepted the notion, I think mistakenly, that we can’t have vastly more secure systems than what we have now. I think we should go back to the original issues and reexamine them,” Diffie said.
That, of course, is far easier said than done. The foundational problems of information security—message security, data security, etc.—are still problems, and for good reason: they’re difficult. Encryption has been in use for centuries, and we’re still finding new and interesting ways to do it wrong. But it’s also one of the few things that we know works really well in most cases, and can be relied upon to make life really difficult for nearly every class of attacker.
“The one thing that no country knows how to do is break encryption. We know encryption works. The technological facts are fixed,” Matthew Green, a cryptographer and professor at Johns Hopkins University, said at RSA.
Sure, a lot of things are broken, and many more will be broken soon, but there is some light at the end of the tunnel.